A quartet of U.S. Senators from both sides of the aisle have introduced new legislation aimed at helping healthcare organizations weather the onslaught of ransomware and other cyberattacks.

WHY IT MATTERS
The new bill, The Health Care Cybersecurity and Resiliency Act of 2024, was introduced by HELP Committee ranking member Dr. Bill Cassidy, R-La., along with Sens. Mark Warner, D-Va., John Cornyn, R-Texas, and Maggie Hassan, D-N.H.

"This bipartisan legislation ensures health institutions can safeguard Americans’ health data against increasing cyber threats," said Cassidy in a press statement.

All of those senators are members of a healthcare cybersecurity working group that was formed on Capitol Hill a year ago, and the provisions of this legislation arise from their discussions there.

Among other requirements, the Cybersecurity and Resiliency Act would offer grants to healthcare organizations to help them shore up their ability to prevent and respond to cyberattacks, in addition to funding training to help foster cybersecurity best practices. 

In particular, the grants would be targeted at underserved communities, to help rural health clinics and other providers improve basic cyber hygiene, boost resilience and improve coordination with federal agencies.

The bill also calls for better coordination between the Department of Health and Human Services and the Homeland Security department's Cybersecurity and Infrastructure Security Agency to better respond to healthcare's cybersecurity needs.

On the policy front, the act would call for updates and modernization to existing regulations governing HIPAA covered entities – requiring them and their business associates to adhere to certain baseline standards and "use modern, up-to-date cybersecurity practices – and it would require the U.S. Secretary of Health and Human Services to create and implement a cybersecurity incident response plan.

THE LARGER TREND
Cassidy, Warner, Cornyn and Hassan convened the Senate Health Care Cybersecurity Working Group in November 2023 in response to the "disturbing rise in cyberattacks" on healthcare organizations, as Cassidy said at the time, noting that a then record 89 million Americans had seen their health information breached in 2023 – twice as many as the year before.

Those attacks cost $10 million per breach, on average. Worse, they can often disrupt care delivery for days or even weeks, posing significant risks to patient safety.

"Cyberattacks on our healthcare systems and organizations not only threaten personal and sensitive information, but can have life-and-death consequences with even the briefest period of interruption," said Warner. "I’m proud to introduce this bipartisan legislation that strengthens our cybersecurity and better protects patients."

Rural hospitals, under-resourced and understaffed, are particularly vulnerable. (The White House, along with Big Tech giants Google and Microsoft, have offered funding and expertise to help them.)

As the ongoing scourge of healthcare cyberattacks reaches "epidemic proportions," federal leaders are advocating for increased public-private collaboration and layered defense approaches to help health systems strengthen and stabilize their security postures and improve their responsiveness.

Meanwhile, other legislation has been proposed in response to the cybersecurity crisis. Earlier this fall, Warner, along with Sen. Ron Wyden, D-Ore., unveiled a separate Finance Committee bill, the Health Infrastructure Security and Accountability Act, which would also increase funding to rural and underserved hospitals to help them meet certain mandated cybersecurity protocols.

ON THE RECORD
"Cyberattacks in the healthcare sector can have a wide range of devastating consequences, from exposing private medical information to disrupting care in ERs – and it can be particularly difficult for medical providers in rural communities with fewer resources to prevent and respond to these attacks," said Hassan in a statement. "Our bipartisan working group came together to develop this legislation based on the most pressing needs for medical providers and patients, and I urge my colleagues to support it."

"In an increasingly digital world, it is essential that Americans’ healthcare data is protected," added Cornyn. "This commonsense legislation would modernize our healthcare institutions’ cybersecurity practices, increase agency coordination, and provide tools for rural providers to prevent and respond to cyberattacks."

Mike Miliard is executive editor of Healthcare IT News
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.